Malware Analysis Report

2024-12-07 17:13

Sample ID 241112-qtcshstekd
Target B5A2500277DE385BCEF6CD2DF4D60F3CE168A7A7C1F2C3739F3673745505587D.apk
SHA256 b5a2500277de385bcef6cd2df4d60f3ce168a7a7c1f2c3739f3673745505587d
Tags
impact collection credential_access discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b5a2500277de385bcef6cd2df4d60f3ce168a7a7c1f2c3739f3673745505587d

Threat Level: Likely malicious

The file B5A2500277DE385BCEF6CD2DF4D60F3CE168A7A7C1F2C3739F3673745505587D.apk was found to be: Likely malicious.

Malicious Activity Summary

impact collection credential_access discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 13:32

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows financial apps to read filtered sms messages. android.permission.SMS_FINANCIAL_TRANSACTIONS N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to recognize physical activity. android.permission.ACTIVITY_RECOGNITION N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 13:32

Reported

2024-11-12 13:33

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

38s

Command Line

dwxj.zqdpo.dzfa

Signatures

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

dwxj.zqdpo.dzfa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/dwxj.zqdpo.dzfa/files/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫

MD5 a4d19bb2532559a91ee275ff6369b80d
SHA1 6d9e7d32c529ea06fe366d2dc8251da4335d235f
SHA256 27fa5fd89e61c4e2f506343f7a5e126467d400bf9a0187418e8674b4ed451bf8
SHA512 5cd98f53145cc6d66f038704ad19adabd950d423faf8b9fcfde1d61f2d8cf378f936b14af24883f5456507d7d50a0cc6dc1c84868bf54ea2f28a81b9efd34c96

/data/data/dwxj.zqdpo.dzfa/files/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 13:32

Reported

2024-11-12 13:35

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

dwxj.zqdpo.dzfa

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/dwxj.zqdpo.dzfa/[email protected] N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/[email protected] N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

dwxj.zqdpo.dzfa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
DK 95.164.10.114:4114 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 lib.contact udp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/data/dwxj.zqdpo.dzfa/files/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫

MD5 a4d19bb2532559a91ee275ff6369b80d
SHA1 6d9e7d32c529ea06fe366d2dc8251da4335d235f
SHA256 27fa5fd89e61c4e2f506343f7a5e126467d400bf9a0187418e8674b4ed451bf8
SHA512 5cd98f53145cc6d66f038704ad19adabd950d423faf8b9fcfde1d61f2d8cf378f936b14af24883f5456507d7d50a0cc6dc1c84868bf54ea2f28a81b9efd34c96

/data/data/dwxj.zqdpo.dzfa/files/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

/data/user/0/dwxj.zqdpo.dzfa/[email protected]

MD5 c6f6667892c1e10790ca15a2be76d79b
SHA1 c3ddd41bc0dbbbfacc30b9632f35061a17e81526
SHA256 f4c2296151e005f657ee714526b1cee3294a5b17d234329236afa548d44aba1f
SHA512 0dc4747602d3b2dd2ebdf430a8d14c7281ae989402537d3e9b4cf65028a9c09cf812815907bd3cbccf073fe92ac9a972754b270820cfd2e274321667f74cf82c

/data/data/dwxj.zqdpo.dzfa/oat/x86_64/[email protected]

MD5 6603de199af31f6e4fc806d6fd7741fa
SHA1 8ad8fee7c81866abe75f490bec6867c53eb548b6
SHA256 7b40c6d03d074c266c29ebb0da104578c19625b3125d7bc344d8aa0f60995965
SHA512 3e440f5f769a17e7bd3022e039cb8fcaff78d5d5de5edb357fef951273323682700aaef23f08c8eed4bfb2af9882e75eee42cb62147b975f0c9719fc92b79449

/data/user/0/dwxj.zqdpo.dzfa/[email protected]

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/data/dwxj.zqdpo.dzfa/oat/x86_64/[email protected]

MD5 9c6ea90439d948156a89218f3cee5354
SHA1 5d1cda6905ffe019ee74a64370df695b212e74ed
SHA256 56015403f5824343d160f8e962e2484280b14ecd9f4b2b00990a069d171073e2
SHA512 cb79dd5fad5b748d1ef89337d3a1d8cfed4e59e85665a7b20845877ac7053047867970adb1fd5b0a6ea663b0104eee44b09c455578daccbf26dc4725ab268b52

/data/data/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/data/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/data/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/data/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/data/dwxj.zqdpo.dzfa/files/Factory/Plugins/oat/classes.dex.cur.prof

MD5 8a4ecbc1eb4f5e704dc9fa1bf7587791
SHA1 6019c0b70c77be9150fab1048daf049391418f19
SHA256 c446cd45302318cd036736260042110c3f12ee8e10eebc1f5e823c1421783717
SHA512 f6cc0be9731d03981f67b96ace95b926ea4f1ec41b0d62c386586308df5266b77d252ebbcc0ca965769cef9eb03bb0c668635e543db93e5f04800810b628997e

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 13:32

Reported

2024-11-12 13:35

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

dwxj.zqdpo.dzfa

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/dwxj.zqdpo.dzfa/[email protected] N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/[email protected] N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

dwxj.zqdpo.dzfa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
DK 95.164.10.114:4114 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 lib.contact udp

Files

/data/user/0/dwxj.zqdpo.dzfa/files/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫

MD5 a4d19bb2532559a91ee275ff6369b80d
SHA1 6d9e7d32c529ea06fe366d2dc8251da4335d235f
SHA256 27fa5fd89e61c4e2f506343f7a5e126467d400bf9a0187418e8674b4ed451bf8
SHA512 5cd98f53145cc6d66f038704ad19adabd950d423faf8b9fcfde1d61f2d8cf378f936b14af24883f5456507d7d50a0cc6dc1c84868bf54ea2f28a81b9efd34c96

/data/user/0/dwxj.zqdpo.dzfa/files/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

/data/user/0/dwxj.zqdpo.dzfa/[email protected]

MD5 c6f6667892c1e10790ca15a2be76d79b
SHA1 c3ddd41bc0dbbbfacc30b9632f35061a17e81526
SHA256 f4c2296151e005f657ee714526b1cee3294a5b17d234329236afa548d44aba1f
SHA512 0dc4747602d3b2dd2ebdf430a8d14c7281ae989402537d3e9b4cf65028a9c09cf812815907bd3cbccf073fe92ac9a972754b270820cfd2e274321667f74cf82c

/data/user/0/dwxj.zqdpo.dzfa/oat/x86_64/[email protected]

MD5 560fce7d7261002f2b5fd0755f8a5f70
SHA1 37252418526019b3c9d652d28152818fea46ac75
SHA256 282af969bd6963c124a440dc70c878c14a0029cfec76acd3e92e05e82d9e87c9
SHA512 821250c8a8bfaefde721ab1e737df34b57811adcca55c3a972323a13ed391175c67043b94f690521e3b86512394530dbebabd7cb5a42399a7573d2da17b8daa2

/data/user/0/dwxj.zqdpo.dzfa/[email protected]

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/user/0/dwxj.zqdpo.dzfa/oat/x86_64/[email protected]

MD5 15fc9abbf4da036e063ac303eb4faba5
SHA1 364076e24539676b8296c3b6f80e21073a88954e
SHA256 584e4d4d260677ced585afc5a95b888e1a5ae91f6de265075eec1e54e7bdb32b
SHA512 1b19ab0852306f95c398f63ad1d915874bd6496d8ed398472b5055aca6742658209bc36bde3a6225464022e0919f013c88ae44c1bb64182d46255916e2e77b02

/data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/user/0/dwxj.zqdpo.dzfa/files/Factory/Plugins/oat/classes.dex.cur.prof

MD5 b4db170902a465593d01e7313ceca543
SHA1 d987e0e9dc0fa53ca9a6464be82f09be81ffd370
SHA256 11ae86289ab232ae403936f7321be211fe3de8c098d4ba502ba867c3f95d0e61
SHA512 325f63ddef73e4455003cc25e6688ce7bf9ac2386cd13cb01ab6d31dbd8d8bc748cb5f7029a9cc519ab8b5cc6d04e1a59fc654aa46754cdfb9774622499f534e